The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

−

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump List]] files on Windows 7 and 8.

+

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].

== Metadata ==

== Metadata ==

Line 40:

Line 40:

== External Links ==

== External Links ==

−

* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]

+

* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations], by [[Harry Parsonage]], September 2008

−

* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]

Latest revision as of 09:05, 30 November 2013

Contents

File Format

The Windows Shortcut file has the extension .lnk.
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms Jump Lists files on Windows 7 and 8.

Metadata

MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;